rhsa-2024_1752
Vulnerability from csaf_redhat
Published
2024-04-10 12:21
Modified
2024-11-11 09:50
Summary
Red Hat Security Advisory: GitOps 1.12.1- Argo CD CLI and MicroShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps v1.12.1 for Argo CD CLI and MicroShift GitOps. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Errata Advisory for Red Hat OpenShift GitOps v1.12.1- Argo CD CLI and MicroShift GitOps.
Security Fix(es):
* argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment (CVE-2024-21661)
* argo-cd: Users with `create` but not `override` privileges can perform local
sync (CVE-2023-50726)
* argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652)
* argo-cd: uncontrolled resource consumption vulnerability (CVE-2024-29893)
* argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow (CVE-2024-21662)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat OpenShift GitOps v1.12.1 for Argo CD CLI and MicroShift GitOps. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Errata Advisory for Red Hat OpenShift GitOps v1.12.1- Argo CD CLI and MicroShift GitOps.\n\nSecurity Fix(es):\n\n* argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment (CVE-2024-21661)\n\n* argo-cd: Users with `create` but not `override` privileges can perform local\nsync (CVE-2023-50726)\n\n* argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652)\n\n* argo-cd: uncontrolled resource consumption vulnerability (CVE-2024-29893)\n\n* argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow (CVE-2024-21662)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:1752", "url": "https://access.redhat.com/errata/RHSA-2024:1752" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://docs.openshift.com/gitops/latest/understanding_openshift_gitops/about-redhat-openshift-gitops.html", "url": "https://docs.openshift.com/gitops/latest/understanding_openshift_gitops/about-redhat-openshift-gitops.html" }, { "category": "external", "summary": "2269479", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269479" }, { "category": "external", "summary": "2270170", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270170" }, { "category": "external", "summary": "2270173", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270173" }, { "category": "external", "summary": "2270182", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270182" }, { "category": "external", "summary": "2272211", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272211" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_1752.json" } ], "title": "Red Hat Security Advisory: GitOps 1.12.1- Argo CD CLI and MicroShift GitOps security update", "tracking": { "current_release_date": "2024-11-11T09:50:53+00:00", "generator": { "date": "2024-11-11T09:50:53+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2024:1752", "initial_release_date": "2024-04-10T12:21:14+00:00", "revision_history": [ { "date": "2024-04-10T12:21:14+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-04-10T12:21:14+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-11T09:50:53+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift GitOps 1.12", "product": { "name": "Red Hat OpenShift GitOps 1.12", "product_id": "8Base-GitOps-1.12", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8" } } }, { "category": "product_name", "name": "Red Hat OpenShift GitOps 1.12", "product": { "name": "Red Hat OpenShift GitOps 1.12", "product_id": "9Base-GitOps-1.12", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el9" } } } ], "category": "product_family", "name": "Red Hat OpenShift GitOps" }, { "branches": [ { "category": "product_version", "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "product": { "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=src" } } }, { "category": "product_version", "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "product": { "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "product_id": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-4.el9?arch=src" } } }, { "category": "product_version", "name": "microshift-gitops-0:1.12.1-4.el9.src", "product": { "name": "microshift-gitops-0:1.12.1-4.el9.src", "product_id": "microshift-gitops-0:1.12.1-4.el9.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/microshift-gitops@1.12.1-4.el9?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "product": { "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=x86_64" } } }, { "category": "product_version", "name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "product": { "name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "product_id": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli-redistributable@1.12.1-5.el8?arch=x86_64" } } }, { "category": "product_version", "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "product": { "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "product_id": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-4.el9?arch=x86_64" } } }, { "category": "product_version", "name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64", "product": { "name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64", "product_id": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli-redistributable@1.12.1-4.el9?arch=x86_64" } } }, { "category": "product_version", "name": "microshift-gitops-0:1.12.1-4.el9.x86_64", "product": { "name": "microshift-gitops-0:1.12.1-4.el9.x86_64", "product_id": "microshift-gitops-0:1.12.1-4.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/microshift-gitops@1.12.1-4.el9?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "product": { "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=aarch64" } } }, { "category": "product_version", "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "product": { "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "product_id": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-4.el9?arch=aarch64" } } }, { "category": "product_version", "name": "microshift-gitops-0:1.12.1-4.el9.aarch64", "product": { "name": "microshift-gitops-0:1.12.1-4.el9.aarch64", "product_id": "microshift-gitops-0:1.12.1-4.el9.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/microshift-gitops@1.12.1-4.el9?arch=aarch64" } } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "product": { "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=ppc64le" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "product": { "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=s390x" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "product": { "name": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "product_id": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/microshift-gitops-release-info@1.12.1-4.el9?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64 as a component of Red Hat OpenShift GitOps 1.12", "product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64" }, "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "relates_to_product_reference": "8Base-GitOps-1.12" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le as a component of Red Hat OpenShift GitOps 1.12", "product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le" }, "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "relates_to_product_reference": "8Base-GitOps-1.12" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x as a component of Red Hat OpenShift GitOps 1.12", "product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x" }, "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "relates_to_product_reference": "8Base-GitOps-1.12" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src as a component of Red Hat OpenShift GitOps 1.12", "product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src" }, "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "relates_to_product_reference": "8Base-GitOps-1.12" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64 as a component of Red Hat OpenShift GitOps 1.12", "product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64" }, "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "relates_to_product_reference": "8Base-GitOps-1.12" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64 as a component of Red Hat OpenShift GitOps 1.12", "product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64" }, "product_reference": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "relates_to_product_reference": "8Base-GitOps-1.12" }, { "category": "default_component_of", "full_product_name": { "name": "microshift-gitops-0:1.12.1-4.el9.aarch64 as a component of Red Hat OpenShift GitOps 1.12", "product_id": "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64" }, "product_reference": "microshift-gitops-0:1.12.1-4.el9.aarch64", "relates_to_product_reference": "9Base-GitOps-1.12" }, { "category": "default_component_of", "full_product_name": { "name": "microshift-gitops-0:1.12.1-4.el9.src as a component of Red Hat OpenShift GitOps 1.12", "product_id": "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src" }, "product_reference": "microshift-gitops-0:1.12.1-4.el9.src", "relates_to_product_reference": "9Base-GitOps-1.12" }, { "category": "default_component_of", "full_product_name": { "name": "microshift-gitops-0:1.12.1-4.el9.x86_64 as a component of Red Hat OpenShift GitOps 1.12", "product_id": "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64" }, "product_reference": "microshift-gitops-0:1.12.1-4.el9.x86_64", "relates_to_product_reference": "9Base-GitOps-1.12" }, { "category": "default_component_of", "full_product_name": { "name": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch as a component of Red Hat OpenShift GitOps 1.12", "product_id": "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch" }, "product_reference": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "relates_to_product_reference": "9Base-GitOps-1.12" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64 as a component of Red Hat OpenShift GitOps 1.12", "product_id": "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64" }, "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "relates_to_product_reference": "9Base-GitOps-1.12" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src as a component of Red Hat OpenShift GitOps 1.12", "product_id": "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src" }, "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "relates_to_product_reference": "9Base-GitOps-1.12" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64 as a component of Red Hat OpenShift GitOps 1.12", "product_id": "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64" }, "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "relates_to_product_reference": "9Base-GitOps-1.12" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64 as a component of Red Hat OpenShift GitOps 1.12", "product_id": "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" }, "product_reference": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64", "relates_to_product_reference": "9Base-GitOps-1.12" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-50726", "cwe": { "id": "CWE-269", "name": "Improper Privilege Management" }, "discovery_date": "2024-03-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2269479" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Argo CD package. An improper validation bug allows users to sync local manifests on app creation, who have create privileges but not override privileges. All other restrictions, including AppProject restrictions, are still enforced. The only restriction that is not enforced is that the manifests come from some approved git/Helm/OCI source.", "title": "Vulnerability description" }, { "category": "summary", "text": "CD: Users with `create` but not `override` privileges can perform local sync", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-50726" }, { "category": "external", "summary": "RHBZ#2269479", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269479" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-50726", "url": "https://www.cve.org/CVERecord?id=CVE-2023-50726" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-50726", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50726" }, { "category": "external", "summary": "https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac", "url": "https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978", "url": "https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm", "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm" } ], "release_date": "2024-03-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-04-10T12:21:14+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1752" }, { "category": "workaround", "details": "To mitigate the risk of branch protection bypass, remove applications and create RBAC access.", "product_ids": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "version": "3.1" }, "products": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "CD: Users with `create` but not `override` privileges can perform local sync" }, { "cve": "CVE-2024-21652", "cwe": { "id": "CWE-307", "name": "Improper Restriction of Excessive Authentication Attempts" }, "discovery_date": "2024-03-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2270170" } ], "notes": [ { "category": "description", "text": "A bypass of brute force protection flaw was found in Argo CD. Since login attempts are stored only in memory, every time the server restarts, that number is lost and unlimited login attempts can be made. It is possible to bypass brute force protections by chaining this issue with a denial of service issue, such as CVE-2024-21661.", "title": "Vulnerability description" }, { "category": "summary", "text": "argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-21652" }, { "category": "external", "summary": "RHBZ#2270170", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270170" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-21652", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21652" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21652", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21652" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv", "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv" } ], "release_date": "2024-03-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-04-10T12:21:14+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1752" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss" }, { "cve": "CVE-2024-21661", "cwe": { "id": "CWE-567", "name": "Unsynchronized Access to Shared Data in a Multithreaded Context" }, "discovery_date": "2024-03-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2270173" } ], "notes": [ { "category": "description", "text": "A flaw was found in Argo CD that may result in a remote denial of service. The expireOldFailedAttempts function modifies an array while it is being iterated over. This issue may cause an application crash when executed in a multi-threaded environment if two threads interact with the same array simultaneously.", "title": "Vulnerability description" }, { "category": "summary", "text": "argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-21661" }, { "category": "external", "summary": "RHBZ#2270173", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270173" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-21661", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21661" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21661", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21661" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7", "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7" } ], "release_date": "2024-03-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-04-10T12:21:14+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1752" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "product_ids": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment" }, { "cve": "CVE-2024-21662", "cwe": { "id": "CWE-307", "name": "Improper Restriction of Excessive Authentication Attempts" }, "discovery_date": "2024-03-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2270182" } ], "notes": [ { "category": "description", "text": "A flaw was found in Argo CD, where the rate limit for login attempts may be bypassed due to an incomplete fix for CVE-2020-8827. The cache-based mechanism is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by sending excessive login attempts for different users, thereby pushing out the admin account\u0027s failed attempts and effectively resetting the rate limit for that account. This enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account.", "title": "Vulnerability description" }, { "category": "summary", "text": "argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-21662" }, { "category": "external", "summary": "RHBZ#2270182", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270182" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-21662", "url": "https://www.cve.org/CVERecord?id=CVE-2024-21662" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21662", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21662" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d", "url": "https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b", "url": "https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456", "url": "https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454", "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454" } ], "release_date": "2024-03-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-04-10T12:21:14+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1752" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow" }, { "cve": "CVE-2024-29893", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2024-03-29T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2272211" } ], "notes": [ { "category": "description", "text": "The ArgoCD repo-server component is vulnerable to a denial of service attack, where it is possible to crash the repo server component through an out-of-memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD\u0027s helm package does not limit the size or time while fetching the data. It fetches and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out.", "title": "Vulnerability description" }, { "category": "summary", "text": "argo-cd: uncontrolled memory allocation vulnerability", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-29893" }, { "category": "external", "summary": "RHBZ#2272211", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272211" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-29893", "url": "https://www.cve.org/CVERecord?id=CVE-2024-29893" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29893", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29893" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d", "url": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59", "url": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd", "url": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3", "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3" } ], "release_date": "2024-03-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-04-10T12:21:14+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1752" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64", "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64", "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "argo-cd: uncontrolled memory allocation vulnerability" } ] }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.